The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:

The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:

−

** Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.

+

* Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.

−

** Evaluate the contracts of the API and establish a new API Specification

+

* Evaluate the contracts of the API and establish a new API Specification

−

** Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control

+

* Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control

−

** Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification

+

* Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification

The budget for this effort is as follows:

The budget for this effort is as follows:

−

** Travel/Lodging for key stakeholders -- $2.5k

+

* Travel/Lodging for key stakeholders -- $2.5k

−

*** Attendees

+

** Chris Schmidt (Denver, Co) -- Unconfirmed

−

**** Chris Schmidt (Denver, Co) -- Unconfirmed

+

** Kevin Wall (Columbus, Oh) -- Unconfirmed

−

**** Kevin Wall (Columbus, Oh) -- Unconfirmed

+

** John Steven (Washington, DC) -- Uncomfirmed

−

**** John Steven (Washington, DC) -- Uncomfirmed

+

** Jeff Williams (Columbia, MD) -- Uncomfirmed

−

**** Jeff Williams (Columbia, MD) -- Uncomfirmed

+

* Catering (Breakfast/Lunch) -- $500

−

** Catering (Breakfast/Lunch) -- $500

+

----

----

−

* ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k

+

'''ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k'''

The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:

The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:

−

** Best Mobile Component

+

* Best Mobile Component

−

** Best Cloud Component

+

* Best Cloud Component

−

** Best Application Component

+

* Best Application Component

−

** Best Overall Component Package

+

* Best Overall Component Package

−

** Desired Outcomes of ESAPI:Rebooted

+

Desired Outcomes of ESAPI:Rebooted

−

*** Ready-to-use control components for various platforms using the new ESAPI architecture

+

* Ready-to-use control components for various platforms using the new ESAPI architecture

It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.

It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.

Line 41:

Line 43:

----

----

−

* ESAPI:Tutorials Video Series -- ~$2k

+

'''ESAPI:Tutorials Video Series -- ~$2k'''

The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.

The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.

Line 49:

Line 51:

----

----

−

* ESAPI:Documentation Sprint -- ~$2k

+

'''ESAPI:Documentation Sprint -- ~$2k'''

A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI.

A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI.

The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.

The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.

Revision as of 13:33, 25 July 2012

Reboot Type: Type 1

ESAPI:Redesign (October 2012 - Columbus, Oh) -- $3-5K

The ESAPI:Redesign initiative will focus on gathering key players in the Application Security / Development communities to create a new ESAPI vision. The current API is outdated and ineffective in several key areas and the project has suffered extreme bloat resulting in a large footprint and a lot of functionality that simply isn't ever used being required in an application's codebase. The key objectives for this meeting will be:

Evaluate the current threat landscape and propose alteration, removal, or addition of controls to the ESAPI core.

Evaluate the contracts of the API and establish a new API Specification

Create a threat model for each control including the threats the control mitigates, the assumptions made by the contract, and the desired output of the control

Establish a testing infrastructure for implementations of controls to ensure compatibility and conformance with the specification

The budget for this effort is as follows:

Travel/Lodging for key stakeholders -- $2.5k

Chris Schmidt (Denver, Co) -- Unconfirmed

Kevin Wall (Columbus, Oh) -- Unconfirmed

John Steven (Washington, DC) -- Uncomfirmed

Jeff Williams (Columbia, MD) -- Uncomfirmed

Catering (Breakfast/Lunch) -- $500

ESAPI:Rebooted Hackathon (December 2012 - Denver, Co) -- $5-8k

The ESAPI:Rebooted Hackathon will be a 2-day event held in the Denver area during early December. The primary goals of the hackathon are to foster new development and contributions from the development community and extend the reach of ESAPI into additional platforms. Developers attending the hackathon will compete to create ESAPI-Enabled components (leveraging the new API). The core team will be responsible for ensuring the API is ready before the hackathon and providing end users with the API. Judging for the hackathon will be done by industry specialists and the core ESAPI team. Categories for awards will be:

Best Mobile Component

Best Cloud Component

Best Application Component

Best Overall Component Package

Desired Outcomes of ESAPI:Rebooted

Ready-to-use control components for various platforms using the new ESAPI architecture

It is anticipated that a portion of the budget will be covered by sponsors for the event. Additionally, prizes for the attendees of the Hackathon will be provided by event sponsors.

ESAPI:Tutorials Video Series -- ~$2k

The ESAPI Team identified a need for a set of easy to follow tutorials on implementing and using ESAPI controls in applications as a key item at the ESAPI Summit in MN last year. These tutorials should be created in the same format as the OWASP Tutorials video library.

The anticipated budget for this at this point is unknown. The required staff will include (1) Voice Actor, (1) Video Producer, (1) Audio Producer, (1) Graphic Designer

ESAPI:Documentation Sprint -- ~$2k

A need has been identified to produce a reference manual for ESAPI. This manual will cover everything from installation to writing custom controls and components for ESAPI.

The anticipated budget for this at this point is unknown. The required staff will be (1-3) Authors, (1) Graphic Designer, (1) Editor.